[go: up one dir, main page]

CN102792311A - Secure dynamic authority delegation - Google Patents

Secure dynamic authority delegation Download PDF

Info

Publication number
CN102792311A
CN102792311A CN2011800135696A CN201180013569A CN102792311A CN 102792311 A CN102792311 A CN 102792311A CN 2011800135696 A CN2011800135696 A CN 2011800135696A CN 201180013569 A CN201180013569 A CN 201180013569A CN 102792311 A CN102792311 A CN 102792311A
Authority
CN
China
Prior art keywords
resource
requester
owner
authorization token
authorization
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2011800135696A
Other languages
Chinese (zh)
Other versions
CN102792311B (en
Inventor
I·凡博格
H-L·陆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alcatel Lucent SAS
Original Assignee
Alcatel Lucent SAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alcatel Lucent SAS filed Critical Alcatel Lucent SAS
Publication of CN102792311A publication Critical patent/CN102792311A/en
Application granted granted Critical
Publication of CN102792311B publication Critical patent/CN102792311B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/22Arrangements for preventing the taking of data from a data transmission channel without authorisation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • G06F21/335User authentication using certificates for accessing specific resources, e.g. using Kerberos tickets
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2103Challenge-response
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Storage Device Security (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

在通信网络中,其中第一计算设备代表资源拥有者而第二计算设备代表资源请求者,该资源拥有者检测事件发生,其中该事件发生代表请求访问存储于资源所在地中的所述资源拥有者的一个或多个资源。所述资源拥有者响应于所述事件发生而发送授权令牌至所述资源请求者,所述授权令牌用作由所述资源拥有者所委派的授权的证明,该证明由所述资源请求者出示给所述资源所在地以允许该资源请求者访问存储于该资源所在地中的一个或多个所请求资源。

Figure 201180013569

In a communications network where a first computing device represents a resource owner and a second computing device represents a resource requester, the resource owner detects an event occurrence representing a request for access to said resource owner stored in a resource location One or more resources for . The resource owner sends an authorization token to the resource requestor in response to the occurrence of the event, the authorization token being used as proof of authorization delegated by the resource owner, the proof being issued by the resource request Presenting the resource requester to the resource location allows the resource requester to access one or more requested resources stored in the resource location.

Figure 201180013569

Description

安全动态权力委派Secure Dynamic Power Delegation

技术领域 technical field

本发明一般地涉及通信网络,更具体地涉及用在通信网络中的技术,该技术用于安全动态地委派授权以实现涉及由不同于资源拥有者的实体访问受保护资源的应用。The present invention relates generally to communication networks, and more particularly to techniques for use in communication networks for securely and dynamically delegating authorization for applications involving access to protected resources by entities other than resource owners.

背景技术 Background technique

这个部分介绍可能有助于更好地理解本发明的方面。相应地,这个部分的陈述是以该目的来阅读的并且不应当被看作是作为现有技术或非现有技术的认定。This section introduction may help to better understand aspects of the invention. Accordingly, the statements in this section are to be read for that purpose and should not be construed as admissions of prior art or non-prior art.

可经由通信网络获得的各种不同的工具,例如万维网,允许用户创建他们自己的应用或网页。一个例子称作“mashup(聚合)”,其是使用或组合来自两个或更多源的数据或功能性以创建新服务或应用的网页或应用。然而,当用户被要求针对不同的源而给出他/她的证书(用户名和密码)时,出现了问题,这暴露了源之间的信息并且给予一个源对另一个源的完全访问。这可能不是用户所期望的。Various tools available via communication networks, such as the World Wide Web, allow users to create their own applications or web pages. One example is called a "mashup," which is a web page or application that uses or combines data or functionality from two or more sources to create a new service or application. However, a problem arises when a user is required to give his/her credentials (username and password) against different sources, exposing information between sources and giving one source full access to another. This may not be what the user expects.

称作OAuth的协议尝试提供对该问题的解决方案。一般地,OAuth协议(参见http://oauth.net/)使得用户能够提供对他们的web资源的第三方访问而不必共享他们的密码。然而,该协议存在几个限制和缺陷。首先,由于协议与超文本传输协议(HTTP)有关,它不适用于非web应用。其次,由于该协议依赖于对HTTP重定向的使用,因此它容易受到网络钓鱼攻击。该协议也需要多个往返来获得所委派的授权,并且它对于应用性能而言不是最佳的。最后,由于该协议使用不止一种委派证据和涉及重复的加密签名的证明机制,它过于复杂。因此,需要一种克服了所述和其他缺点的关于权利委派的改进方法。A protocol called OAuth attempts to provide a solution to this problem. In general, the OAuth protocol (see http://oauth.net/) enables users to provide third-party access to their web resources without having to share their passwords. However, this protocol has several limitations and flaws. First, since the protocol is related to Hypertext Transfer Protocol (HTTP), it is not suitable for non-web applications. Second, because the protocol relies on the use of HTTP redirects, it is vulnerable to phishing attacks. This protocol also requires multiple round trips to obtain delegated authorization, and it is not optimal for application performance. Finally, since the protocol uses more than one proof of delegation and a proof mechanism involving repeated cryptographic signatures, it is overly complex. Accordingly, there is a need for an improved approach to delegation of rights that overcomes these and other shortcomings.

发明内容 Contents of the invention

本发明的实施例提供用于动态地委派授权以实现通信网络(例如万维网或下一代网络)上的应用(例如mashups和第三方应用)的一般、有效且安全的方法,所述应用涉及由不同于资源拥有者的实体访问受保护资源。Embodiments of the present invention provide a generic, efficient and secure method for dynamically delegating authorization to enable applications (such as mashups and third-party applications) on communication networks (such as the World Wide Web or Next Generation Networks) involving Entity access to protected resources depends on the resource owner.

在第一方面中,一种方法包括下列步骤。在通信网络中,其中,第一计算设备代表资源拥有者,而第二计算设备代表资源请求者,该资源拥有者检测事件发生,其中该事件发生代表请求访问存储于资源所在地中的资源拥有者的一个或多个资源。该资源拥有者响应于事件发生而发送授权令牌至资源请求者,该授权令牌用作由资源拥有者所委派的授权的证明,该证明要由资源请求者出示给资源所在地以使得资源请求者能够访问存储于该资源所在地中的一个或多个所请求资源。In a first aspect, a method comprises the following steps. In a communications network where a first computing device represents a resource owner and a second computing device represents a resource requester, the resource owner detects an event occurrence representing a request for access to a resource owner stored in a resource location One or more resources for . The resource owner sends an authorization token to the resource requester in response to the occurrence of the event, and the authorization token is used as proof of authorization delegated by the resource owner to be presented by the resource requester to the resource site in order for the resource request The user can access one or more requested resources stored in the resource location.

在一个或多个实施例中,该事件发生可以是由资源拥有者接收来自资源请求者的资源请求(例如拉方法)。可选地,该事件发生可以是关联于应用程序(例如推方法)的触发事件的发生。该资源所在地可以位于第三计算设备中或它可以位于第一计算设备中。该授权令牌可以具有一个或多个可验证结构、有限的寿命并且指定了用于认证资源请求者的方法或用于认证资源请求者的保证等级。该可验证结构可以包括资源拥有者的数字签名。该授权令牌可以指定一个或多个动作,该动作被许可按照一个或多个所请求资源而被执行。该资源请求者可以在一个往返中获得来自资源拥有者的授权令牌。用于获得令牌的机制可以绑定到现有的应用协议。为获得对一个或多个所请求资源的访问而出示授权令牌也可以绑定到现有的应用协议。进一步地,由资源拥有者委派的授权的证明可以从资源请求者被传送到至少另一个资源请求者以使得该另一资源请求者能够出示另一个授权令牌给资源所在地以允许该另一资源请求者访问存储于该资源所在地中的一个或多个所请求资源。由该另一资源请求者所获得的另一授权令牌可以指定动作许可范围,该动作许可范围是由资源请求者直接从资源拥有者获得的授权令牌中所指定的动作授权范围的子集。在一个实施例中,由该另一资源请求者所获得的另一授权令牌没有更改用于认证资源请求者的方法或用于认证资源请求者的保证级别。进一步地,该另一授权令牌可以是初始接收的授权令牌的修改形式并且前一个资源请求者在发送该授权令牌的修改形式至该另一资源请求者之前执行修改。In one or more embodiments, the event occurrence may be a resource owner receiving a resource request from a resource requester (eg, a pull method). Optionally, the event occurrence may be the occurrence of a trigger event associated with the application program (eg push method). The resource location may be located in the third computing device or it may be located in the first computing device. The authorization token may have one or more verifiable structures, a limited lifetime, and specify a method for authenticating the resource requestor or a level of assurance for authenticating the resource requestor. The verifiable structure may include a digital signature of the resource owner. The authorization token may specify one or more actions that are permitted to be performed in accordance with the one or more requested resources. The resource requester can obtain an authorization token from the resource owner in one round trip. The mechanism for obtaining tokens can be bound to existing application protocols. Presenting an authorization token to gain access to one or more requested resources may also be tied to existing application protocols. Further, proof of authorization delegated by the resource owner may be communicated from the resource requester to at least one other resource requester such that the other resource requestor can present another authorization token to the resource site to allow the other resource The requestor accesses one or more requested resources stored in the resource location. Another authorization token obtained by the other resource requestor may specify an action permission scope that is a subset of the action authorization scope specified in the authorization token obtained by the resource requestor directly from the resource owner . In one embodiment, another authorization token obtained by the other resource requestor does not change the method used to authenticate the resource requestor or the level of assurance used to authenticate the resource requestor. Further, the other authorization token may be a modified version of the initially received authorization token and the previous resource requestor performed the modification before sending the modified version of the authorization token to the other resource requester.

仍进一步地,该资源拥有者可以在发送授权令牌至资源请求者之前认证该资源请求者。Still further, the resource owner may authenticate the resource requestor before sending the authorization token to the resource requestor.

在第二方面中,一种方法包括下列步骤。在通信网络中,其中第一计算设备代表资源拥有者而第二计算设备代表资源请求者,并且该资源拥有者检测事件发生并且该事件发生代表请求访问存储于资源所在地中的该资源拥有者的一个或多个资源,该资源请求者接收由该资源拥有者响应于该事件发生而发送的授权令牌,该授权令牌用作由该资源拥有者委派的授权的证明,该证明要由资源请求者出示给资源所在地以使得该资源请求者能够访问存储于该资源所在地中的一个或多个所请求资源。In a second aspect, a method includes the following steps. In a communications network in which a first computing device represents a resource owner and a second computing device represents a resource requester, and the resource owner detects an event occurrence representing a request for access to the resource owner's information stored in the resource location One or more resources, the resource requester receives an authorization token sent by the resource owner in response to the occurrence of the event, the authorization token is used as proof of authorization delegated by the resource owner, the proof is to be issued by the resource The requester presents the resource location to enable the resource requester to access one or more requested resources stored in the resource location.

在一个或多个实施例中,该资源所在地可以在该资源请求者出示授权令牌给该资源所在地之前认证该资源请求者。该资源所在地在作用于一个或多个所请求资源之前验证由该资源请求者出示的授权令牌。进一步地,该资源所在地可以在该资源请求者出示授权令牌给该资源所在地之后认证该资源请求者。该资源请求者也可以将由该资源拥有者所委派的授权的证明传送至至少另一个资源请求者。这种传送可以包括该资源请求者发送另一个授权令牌给该另一个资源请求者以使得该另一资源请求者能够出示该另一授权令牌给该资源所在地从而许可该另一个资源请求者访问存储于该资源所在地中的一个或多个所请求资源。In one or more embodiments, the resource residency may authenticate the resource requestor before the resource requestor presents an authorization token to the resource residency. The resource residency validates the authorization token presented by the resource requester before acting on the requested resource or resources. Further, the resource location may authenticate the resource requester after the resource requester presents the authorization token to the resource location. The resource requester may also communicate proof of authorization delegated by the resource owner to at least one other resource requester. Such transmission may include the resource requester sending another authorization token to the other resource requester so that the other resource requester can present the other authorization token to the resource location to grant the other resource requestor Access one or more requested resources stored in the resource location.

在第三方面中,一种方法包括下列步骤。在通信网络中,其中,第一计算设备代表资源拥有者而第二计算设备代表资源请求者,并且该资源拥有者检测事件发生并且该事件发生代表请求访问存储于资源所在地中的该资源拥有者的一个或多个资源,并且该资源请求者接收由该资源拥有者响应于该事件发生而发送的授权令牌,该资源所在地接收该授权令牌,该授权令牌用作由该资源拥有者委派给该资源请求者的授权的证明以许可该资源请求者访问存储于该资源所在地中的一个或多个所请求资源。In a third aspect, a method includes the following steps. In a communications network in which a first computing device represents a resource owner and a second computing device represents a resource requester, and the resource owner detects an event occurrence representing a request for access to the resource owner's information stored in a resource location and the resource requester receives the authorization token sent by the resource owner in response to the occurrence of the event, the resource location receives the authorization token, and the authorization token is used by the resource owner Proof of authorization delegated to the resource requestor to grant the resource requestor access to one or more requested resources stored in the resource location.

有利地,本发明的动态授权委派技术适用于web和非web应用。本发明的技术不依赖于对HTTP重定向的使用并且不需要多次往返来获得所委派的授权。进一步地,本发明的技术不如现有的授权委派方案那样复杂。Advantageously, the dynamic authorization delegation technique of the present invention is applicable to both web and non-web applications. The technique of the present invention does not rely on the use of HTTP redirection and does not require multiple round trips to obtain delegated authorization. Further, the techniques of the present invention are less complex than existing authorization delegation schemes.

附图说明 Description of drawings

参考附图,通过阅读下面对说明性实施例的详细描述,本发明的所述和其他目的、特征和优点将变得明显,其中:These and other objects, features and advantages of the present invention will become apparent by reading the following detailed description of illustrative embodiments, with reference to the accompanying drawings, in which:

图1示出了根据本发明一个实施例的参与安全动态授权委派的实体;FIG. 1 shows entities participating in secure dynamic authorization delegation according to an embodiment of the present invention;

图2示出了根据本发明一个实施例的授权令牌的基本结构;Figure 2 shows the basic structure of an authorization token according to one embodiment of the present invention;

图3示出了根据本发明一个实施例的由资源请求者执行的用于请求授权令牌的方法;FIG. 3 shows a method for requesting an authorization token performed by a resource requester according to one embodiment of the present invention;

图4示出了根据本发明一个实施例的由资源拥有者响应于对授权令牌的请求而执行的方法;Figure 4 illustrates a method performed by a resource owner in response to a request for an authorization token, according to one embodiment of the invention;

图5A和5B示出了根据本发明一个实施例的由资源请求者执行的用于访问受保护资源的方法;5A and 5B illustrate a method performed by a resource requester for accessing a protected resource according to one embodiment of the present invention;

图6A和6B示出了根据本发明一个实施例的由资源所在地响应于对访问受保护资源的请求而执行的方法;6A and 6B illustrate a method performed by a resource locus in response to a request to access a protected resource, according to one embodiment of the invention;

图7示出了根据本发明一个实施例的另一个授权令牌的结构;Figure 7 shows the structure of another authorization token according to one embodiment of the present invention;

图8示出了根据本发明一个实施例的适于实现安全动态授权委派的通信网络的硬件结构。FIG. 8 shows a hardware structure of a communication network suitable for implementing secure dynamic authorization delegation according to an embodiment of the present invention.

具体实施方式 Detailed ways

下面将结合示例性通信网络和示例性应用来说明本发明。然而,应当理解,本发明不限于使用任何特定类型的通信网络或应用。所公开的技术适于使用各种各样的通信网络,包括基于web的和基于非web的网络,以及多种应用。实际上,所公开的技术可以在任何合适的通信网络中利用任何合适的应用来实现,其中期望提供动态授权委派以实现通信网络上的涉及由不同于资源拥有者的实体对受保护资源的访问的应用。The present invention will be described below in conjunction with exemplary communication networks and exemplary applications. It should be understood, however, that the present invention is not limited to use with any particular type of communication network or application. The disclosed technology is suitable for use with a wide variety of communication networks, including web-based and non-web-based networks, and a variety of applications. Indeed, the disclosed techniques may be implemented with any suitable application in any suitable communications network where it is desirable to provide dynamic delegation of authorization for access to protected resources by entities other than the resource owner over the communications network. Applications.

如这里使用的,“授权委派”一般是指能够访问某项目的一方允许另一方访问该项目。作为例子,在下面的实施例中,资源拥有者允许资源请求者利用授权令牌访问某资源。在委派是实时按需执行而不是通过提供来执行的意义下,该操作被看做是“动态的”。As used herein, "authorization delegation" generally means that a party with access to an item allows another party to access the item. As an example, in the following embodiment, a resource owner allows a resource requester to access a resource using an authorization token. The operation is said to be "dynamic" in the sense that delegation is performed on demand in real time rather than by provision.

如这里所使用的,“令牌”一般是指一种代表可验证或能够被认证的访问控制准则和操作的数据对象或结构。如这里所使用的,“资源”一般是指能够通过通信网络访问的任何项目、数据、信息等。As used herein, "token" generally refers to a data object or structure representing access control criteria and operations that are verifiable or capable of being authenticated. As used herein, "resource" generally refers to any item, data, information, etc. that can be accessed over a communication network.

如这里所使用的,“应用”一般是指被设计用于辅助用户或实体至一个或多个指定任务的计算机软件。As used herein, an "application" generally refers to computer software designed to assist a user or entity in one or more specified tasks.

如这里将解释的那样,本发明的说明性实施例提供的技术使得资源请求者能够动态地从资源拥有者直接获得对访问其资源所在地中的资源的许可。如这里使用的“所在地”一般是指可经由通信网络访问的存储位置。资源请求者能够通过出示由资源拥有者委派的授权证明来访问资源所在地中的受保护资源。该证明(即授权令牌)具有可验证的结构和有限的寿命,并且还指定了用于认证资源请求者的方法和保证等级。资源请求者能够通过一种基于请求-响应并且能够绑定到现有应用协议的机制来在一个往返中从资源拥有者动态获得授权令牌。例如,资源令牌请求/响应能够作为消息报头或报体或二者的一部分,通过HTTP或会话起始协议(SIP)来承载。用于出示资源令牌以获得对受保护资源的访问的机制是基于请求-响应的并且能够绑定到现有应用协议。例如,令牌能够作为消息报头或报体的一部分,通过HTTP或SIP来承载。As will be explained herein, the illustrative embodiments of the present invention provide techniques that enable resource requesters to dynamically obtain permission to access resources in their resource locus directly from resource owners. "Location" as used herein generally refers to a storage location accessible via a communication network. A resource requester is able to access a protected resource in the resource's location by presenting proof of authorization delegated by the resource owner. This proof (i.e., the authorization token) has a verifiable structure and a finite lifetime, and also specifies the method and level of assurance used to authenticate the resource requestor. Resource requesters can dynamically obtain authorization tokens from resource owners in one round trip through a request-response based mechanism that can be bound to existing application protocols. For example, a resource token request/response can be carried over HTTP or Session Initiation Protocol (SIP) as part of a message header or body or both. The mechanism for presenting resource tokens to gain access to protected resources is request-response based and can be bound to existing application protocols. For example, tokens can be carried over HTTP or SIP as part of a message header or body.

图1示出了根据本发明一个实施例的系统100,其中实体参与安全动态授权委派。如所示,该系统涉及三种行为者:资源拥有者102、资源请求者104和资源所在地106。应当认识到,这三种行为者每个都能够被实现为一个或多个计算设备,如下面将进一步解释的那样。Figure 1 shows a system 100 in which entities participate in secure dynamic delegation of authorization according to one embodiment of the present invention. As shown, the system involves three actors: resource owners 102 , resource requesters 104 , and resource residencies 106 . It should be appreciated that each of these three actors can be implemented as one or more computing devices, as will be explained further below.

资源拥有者102能够体现为用户代理(在终端用户的情况下)或授权服务器(在服务提供商或组织的情况下)。类似地,资源请求者104能够体现为用户代理(在终端用户的情况下)或应用服务器(在服务提供商或组织的情况下)。在其中(操作计算设备A的)“爱丽斯”请求照片打印服务提供商打印她存储在服务器中的在莫斯科旅游时的照片这一使用情形中,资源拥有者102(爱丽斯)将由用户代理(例如执行于计算设备A上的web浏览器程序)代表,而资源请求者104(照片打印服务提供商)将由应用服务器代表。在另一使用情形中,其中(操作计算设备B的)“鲍勃”是在线电影服务的用户,资源拥有者102(在线电影服务提供商)将由授权服务器代表,而资源请求者104(鲍勃)将由用户代理(例如执行与计算设备B上的web浏览器程序)代表。Resource owner 102 can be embodied as a user agent (in the case of an end user) or an authorization server (in the case of a service provider or organization). Similarly, the resource requester 104 can be embodied as a user agent (in the case of an end user) or an application server (in the case of a service provider or organization). In the use case where "Alice" (operating computing device A) requests a photo printing service provider to print her photos stored in a server while traveling in Moscow, the resource owner 102 (Alice) will be represented by the user agent ( For example, a web browser program executing on computing device A) will be represented, while resource requester 104 (photo printing service provider) will be represented by an application server. In another use case, where "Bob" (operating computing device B) is a user of an online movie service, resource owner 102 (online movie service provider) would be represented by an authorization server, and resource requester 104 (Bob ) will be represented by a user agent (eg, a web browser program executing on computing device B).

为了获得对资源所在地106中的特定受保护资源的访问,资源请求者104需要从资源拥有者102直接获得授权令牌,该令牌具有如图2所示(将在下文进一步讨论)的基本结构200。为此,两种方法是可行的:拉和推。在拉方法中,资源请求者104和资源拥有者102交换请求和响应。令牌请求将至少标识请求者以及目标资源和关联的动作。将在下文解释的图3和4分别从资源请求者104和资源拥有者102的角度示出了拉方法。在推方法中,作为应用触发的结果而不是作为来自资源请求者的明确请求的结果,资源拥有者102能够向资源请求者104发出授权令牌。In order to gain access to a particular protected resource in the resource residency 106, the resource requester 104 needs to obtain an authorization token directly from the resource owner 102, which has a basic structure as shown in Figure 2 (discussed further below) 200. For this, two approaches are possible: pull and push. In the pull method, resource requester 104 and resource owner 102 exchange requests and responses. A token request will at least identify the requestor as well as the target resource and associated action. Figures 3 and 4, which will be explained below, illustrate the pull method from the perspective of the resource requester 104 and the resource owner 102, respectively. In the push method, the resource owner 102 can issue an authorization token to the resource requester 104 as a result of an application trigger rather than as a result of an explicit request from the resource requester.

图3示出了在资源请求者(例如图1中的104)一侧的用于请求基本授权令牌的拉方法300。在步骤302中,资源请求者生成并发送授权令牌请求给资源拥有者。在步骤304中,资源请求者检查从资源拥有者接收的第一响应并且在步骤306中确定该第一响应是否包括认证请求(由此资源拥有者在发送授权令牌给请求者之前请求认证该请求者)或该第一响应是否包括授权令牌。FIG. 3 shows a pull method 300 on the side of a resource requester (eg, 104 in FIG. 1 ) for requesting a basic authorization token. In step 302, the resource requester generates and sends an authorization token request to the resource owner. In step 304, the resource requester examines the first response received from the resource owner and determines in step 306 whether the first response includes an authentication request (thereby the resource owner requests authentication of the resource owner before sending an authorization token to the requestor. requester) or if this first response includes an authorization token.

如果来自资源拥有者的第一响应不是认证请求而是包括授权令牌,并且因此步骤308(即下文描述的检查失败令牌响应的接收)产生否定结果,则请求者在步骤310中保存该授权令牌(以随后发送至资源所在地)。If the first response from the resource owner is not an authentication request but includes an authorization token, and thus step 308 (i.e. receipt of a check failure token response described below) yields a negative result, the requester saves the authorization in step 310 Token (to be sent to the resource location later).

然而,如果来自资源拥有者的第一响应是认证请求,则在步骤312中,资源请求者生成并发送认证响应给资源拥有者。在步骤314中,资源请求者检查从资源拥有者接收的第二响应并且确定该第二响应是否包括授权令牌(因此假设认证成功)。如果是,则步骤308(失败令牌响应)产生否定结果,并且请求者在步骤310中保存该授权令牌(以随后发送至资源所在地)。然而,如果认证失败,则接收自资源拥有者的第二响应是失败令牌响应,即这意味着资源拥有者将不发出授权令牌给请求者。应当理解,用于认证请求者的技术可以包括任何常规的认证技术。However, if the first response from the resource owner is an authentication request, then in step 312 the resource requester generates and sends an authentication response to the resource owner. In step 314, the resource requester examines the second response received from the resource owner and determines whether the second response includes an authorization token (thus assuming the authentication was successful). If so, step 308 (fail token response) yields a negative result, and the requester saves the authorization token in step 310 (to be later sent to the resource location). However, if the authentication fails, the second response received from the resource owner is a failure token response, ie this means that the resource owner will not issue an authorization token to the requester. It should be understood that the techniques used to authenticate the requestor may include any conventional authentication techniques.

图4示出了在资源拥有者(例如图1中的102)一侧的用于处理令牌请求的拉方法400。在步骤402中,资源拥有者检查资源请求者(已从其接收资源令牌)是否已经被认证。如果没有,则在步骤404中,资源拥有者生成认证请求并且发送它至资源请求者。在步骤406中,资源拥有者检查接收自资源请求者的认证响应。在步骤408,进行检查以确定认证是否成功。如果没有成功,则资源拥有者在步骤410发送失败令牌响应至请求者(即不发送授权令牌给请求者)。然而,如果认证成功,则拥有者在步骤412判定是否应当允许请求者访问拥有者的资源,并且如果是,则在步骤414中生成授权令牌并且发送它至请求者。然而,如果访问被拒绝,则在步骤410中发送失败令牌响应。FIG. 4 shows a pull method 400 on the side of a resource owner (eg, 102 in FIG. 1 ) for processing token requests. In step 402, the resource owner checks whether the resource requester (from which the resource token was received) has been authenticated. If not, then in step 404 the resource owner generates an authentication request and sends it to the resource requester. In step 406, the resource owner checks the authentication response received from the resource requester. At step 408, a check is made to determine if the authentication was successful. If unsuccessful, the resource owner sends a failure token response to the requester at step 410 (ie, does not send an authorization token to the requester). However, if the authentication is successful, the owner determines in step 412 whether the requester should be allowed to access the owner's resources, and if so, generates an authorization token in step 414 and sends it to the requester. However, if access is denied, then in step 410 a failure token response is sent.

由于拥有授权令牌,资源请求者104因而能够请求访问资源所在地106中的受保护资源。当接收资源请求(参见图1)时,资源所在地106采取下列动作:In possession of the authorization token, the resource requester 104 is thus able to request access to a protected resource in the resource location 106 . When receiving a resource request (see FIG. 1 ), the resource residency 106 takes the following actions:

1.基于令牌中指定的数字签名方法来验证关联于该请求的数字签名有效;1. Verify that the digital signature associated with the request is valid based on the digital signature method specified in the token;

2.验证该令牌在时间和最大使用数目方面还没有过期;2. Verify that the token has not expired in terms of time and maximum usage;

3.验证所请求的资源和要执行的动作是令牌中指定的关联权限和资源列表的一部分;3. Verify that the requested resource and the action to be performed are part of the list of associated permissions and resources specified in the token;

4.验证资源请求者的名称匹配于令牌中的请求者名称;和4. Verify that the resource requester's name matches the requester's name in the token; and

5.利用令牌中指定的方法或强度等级方法来认证该资源请求者。5. Authenticate the resource requestor using the method or strength level method specified in the token.

图5A和5B示出了在资源请求者(例如图1中的104)一侧的用于访问由资源所在地(例如图1中的106)所保存的受保护资源(不必在初始请求中包括授权令牌)的方法500。Figures 5A and 5B illustrate a resource requester's (eg, 104 in Figure 1) side for accessing a protected resource held by a resource location (eg, 106 in Figure 1) (without having to include authorization in the initial request) token) method 500.

在步骤502中,资源请求者生成并发送资源请求给资源所在地。在步骤504中,资源请求者检查从资源所在地接收的第一响应并且在步骤506中确定该第一响应是否包括认证请求(由此资源所在地在允许请求者访问资源之前请求认证该请求者)或该第一响应是否请求授权令牌。In step 502, the resource requester generates and sends a resource request to the resource location. In step 504, the resource requester examines the first response received from the resource residency and determines in step 506 whether the first response includes an authentication request (thus the resource residency requests that the requestor be authenticated before allowing the requestor to access the resource) or Whether this first response requests an authorization token.

如果来自资源所在地的第一响应不是认证请求而是请求授权令牌(下文所述的514),并且因而步骤508(即下文所述的检查失败响应的接收)产生否定结果,则该请求者发送授权令牌(下文所述的516)。If the first response from the resource location is not an authentication request but a request for an authorization token (514 described below), and thus step 508 (i.e. receipt of a check failure response described below) yields a negative result, then the requester sends Authorization token (516 described below).

然而,如果来自资源所在地的第一响应是认证请求,则在步骤510中,资源请求者生成并发送认证响应给资源所在地。在步骤512中,资源请求者检查从资源所在地接收的第二响应并且确定该第二响应是失败响应(508)还是对于授权令牌的请求(514),这因而假定认证是成功的。如果是后者,则该请求者在步骤516中发送(根据上文在图3和图4的背景下所描述的协议而接收自资源拥有者的)授权令牌。However, if the first response from the resource site is an authentication request, then in step 510 the resource requester generates and sends an authentication response to the resource site. In step 512, the resource requester examines the second response received from the resource location and determines whether the second response is a failure response (508) or a request for an authorization token (514), thus assuming that the authentication was successful. If the latter, the requester sends in step 516 an authorization token (received from the resource owner according to the protocol described above in the context of FIGS. 3 and 4 ).

在步骤518中,资源请求者检查接收自资源所在地的第三响应并且确定该第三响应是否是另一个认证请求,即由资源所在地进行下一个认证的请求以确保请求者利用令牌中规定的方法被认证。也就是说,为了增强的安全性,资源所在地可能需要每次接收令牌时重新认证请求者。如果是,则执行步骤524、526和528,其类似于上面描述的步骤510、512和508。在步骤530中,请求者处理响应,其通常包含所请求的资源。In step 518, the resource requester examines the third response received from the resource site and determines whether the third response is another authentication request, a request for the next authentication by the resource site to ensure that the requester utilizes the method is authenticated. That is, for enhanced security, the resource residency may need to re-authenticate the requester each time a token is received. If so, steps 524, 526 and 528 are performed, which are similar to steps 510, 512 and 508 described above. In step 530, the requester processes the response, which typically contains the requested resource.

图6A和6B示出了在资源所在地(例如图1中的106)一侧的用于处理来自资源请求者(例如图1中的104)的资源请求的方法600。在步骤602中,资源所在地检查资源请求者是否已经被认证。如果是,则在步骤604中,资源所在地确认该请求者是否是资源拥有者(在该情况下,该请求者不需要授权令牌)。如果是,则在步骤606中,资源所在地应用合适的资源动作并且发送响应(例如提供对所请求资源的访问)。6A and 6B illustrate a method 600 at a resource location (eg, 106 in FIG. 1 ) side for processing a resource request from a resource requester (eg, 104 in FIG. 1 ). In step 602, the resource location checks whether the resource requester has been authenticated. If so, then in step 604, the resource residency confirms whether the requester is the resource owner (in which case, the requester does not need an authorization token). If so, then in step 606 the resource locus applies the appropriate resource action and sends a response (eg, providing access to the requested resource).

然而,回到步骤602,如果请求者还未被认证并且授权令牌还未由请求者提供(步骤608),则在步骤610(生成并发送请求至请求者)、612(检查认证响应)和614(确认认证成功)执行认证过程。如果不成功,则在步骤616失败响应被发送至请求者。然而,如果认证成功,则执行步骤604(检查请求者是否是拥有者),并且如果是肯定的,则执行步骤606(应用资源动作并发送响应)。然而,在(步骤614中的)成功认证以及(步骤604中的)对请求者是否是拥有者的验证之后,资源所在地在步骤618中向请求者请求授权令牌,并且在步骤620中检查它是否被请求者提供。如果不是,则在步骤616中发送失败响应。However, returning to step 602, if the requestor has not been authenticated and the authorization token has not been provided by the requestor (step 608), then in steps 610 (generate and send request to requestor), 612 (check authentication response) and 614 (Confirm authentication success) Execute the authentication process. If unsuccessful, then at step 616 a failure response is sent to the requester. However, if the authentication is successful, step 604 is performed (check if the requester is the owner), and if yes, step 606 is performed (apply resource action and send response). However, after successful authentication (in step 614) and verification (in step 604) of whether the requester is the owner, the resource residency requests an authorization token from the requester in step 618 and checks it in step 620 Is it provided by the requester. If not, in step 616 a failure response is sent.

一旦令牌以及被接收,资源所在地就在步骤622验证该令牌。例如,执行验证以确定令牌签名是否有效,请求中的请求者名称与令牌是否匹配,令牌是否仍未过期,所请求的资源和动作是否在范围内(即针对请求者和/或所请求的资源而允许什么)。应当理解,根据令牌的结构,可以对令牌及其内容执行更少或更多的验证。如果令牌的一个或多个方面无法被验证,则在步骤624中发送失败响应给请求者,并且因而该资源对于该请求者而言不可用。然而,如果所接收令牌的所有方面都被验证,则根据令牌中所指定的验证需要(就方法或保证等级而言),可以由资源所在地请求另一个认证过程。这是通过步骤626、628、630和632来完成的,其类似于步骤610、612和614。假定第二次认证成功,则在步骤634中应用资源动作并且发送响应(即访问所允许的资源)。如果未成功,则在步骤624中发送失败响应。Once the token is received, the resource location validates the token at step 622 . For example, validation is performed to determine that the token signature is valid, that the requester name in the request matches the token, that the token has not yet expired, that the requested resource and action are in scope (i.e. for the requester and/or all what is allowed for the requested resource). It should be understood that, depending on the structure of the token, less or more validation may be performed on the token and its contents. If one or more aspects of the token cannot be verified, a failure response is sent to the requester in step 624, and thus the resource is not available to the requester. However, if all aspects of the token received are authenticated, another authentication process may be requested by the resource site, depending on the authentication needs (in terms of method or level of assurance) specified in the token. This is done by steps 626 , 628 , 630 and 632 , which are similar to steps 610 , 612 and 614 . Assuming the second authentication was successful, in step 634 the resource action is applied and a response is sent (ie access to the allowed resource). If unsuccessful, a failure response is sent in step 624 .

再次返回图2,授权令牌的基本结构包括字段列表(就姓名-值对而言)以及发出者的签名202,该签名是利用基于发出者的私钥或共享密钥而指定的签名算法210(例如RSA-SHA1和HMAC-SHA256)而在字段上被计算的。唯一的令牌标识符204能够通过级联发出者名称206和时间标记来被构造。发出者的证书链或证书指针链208在令牌中被指定。注意,当用于计算发出者签名的算法是基于私钥时,该字段仅需要被包含在内以改进整体性能。字段212指定了资源请求者的名称(身份)。字段214指定了用于认证请求者的方法或该方法的强度。字段216指定了接收方的名称(身份),即用作资源所在地的设备或服务器。Returning again to Figure 2, the basic structure of an authorization token consists of a list of fields (in terms of name-value pairs) and the issuer's signature 202 using a signature algorithm 210 specified based on the issuer's private key or shared secret key (eg RSA-SHA1 and HMAC-SHA256) are computed on the field. A unique token identifier 204 can be constructed by concatenating an issuer name 206 and a timestamp. The issuer's chain of certificates or certificate pointers 208 is specified in the token. Note that this field only needs to be included to improve overall performance when the algorithm used to compute the issuer's signature is based on a private key. Field 212 specifies the name (identity) of the resource requester. Field 214 specifies the method used to authenticate the requester or the strength of the method. Field 216 specifies the name (identity) of the recipient, ie, the device or server serving as the resource's location.

资源和权限的列表的组合字段218、有效期时间220以及最大使用数目222设定了整个委派范围。可传送性等级224指示了由资源拥有者发出的令牌能够被向下转发至一组始于初始请求者的令牌请求者的等级。可以假设非负整数的值。可传送性的第零级令牌无法被转发。可传送性的第N级令牌能够被初始令牌请求者传送给第二令牌请求者、至第三令牌请求者等等,最多到第N个令牌请求者。The combined field 218 of the list of resources and permissions, the expiration time 220 and the maximum number of usages 222 sets the scope of the entire delegation. The transferability level 224 indicates the level at which a token issued by a resource owner can be forwarded down to a set of token requestors starting with the original requester. A non-negative integer value may be assumed. Transferability level zero tokens cannot be forwarded. An Nth level token of transferability can be transferred by an initial token requester to a second token requester, to a third token requester, and so on, up to the Nth token requester.

在获得可传送的令牌后,请求者可以基于旧令牌而发出新的令牌给新的请求者。如图7所示,新令牌700指定了新请求者708(其将通过与之前相同的方法被认证)的身份,以及可能地降级的委派范围710。在一个实施例中,新令牌700也包括旧令牌704(即图2所示的令牌结构),以及前一请求者(现在是发出者)的证书链或证书指针链706。发出者的签名702是基于发出者的私钥或共享密钥利用签名算法(其可以与旧令牌中指定的签名算法相同)而在字段上被计算的。After obtaining a transferable token, the requester can issue a new token to a new requester based on the old token. As shown in FIG. 7 , the new token 700 specifies the identity of a new requestor 708 (which will be authenticated by the same method as before), and possibly a downgraded delegation scope 710 . In one embodiment, the new token 700 also includes the old token 704 (ie, the token structure shown in FIG. 2 ), and the certificate chain or certificate pointer chain 706 of the previous requester (now the issuer). The issuer's signature 702 is computed over the field using a signature algorithm (which may be the same as the one specified in the old token) based on the issuer's private or shared key.

当验证转发的令牌时,资源所在地还需要检查:When validating forwarded tokens, the resource location also needs to check:

1.可传送性等级大于新请求者存在的数量;1. The transferability class is greater than the number of new requesters present;

2.所有签名都有效;和2. All signatures are valid; and

3.当令牌沿路径被转发时范围没有变宽。3. The range does not widen as the token is forwarded along the path.

可传送令牌的使用情形如下:爱丽斯在内容服务器上公开特定的内容并且使得关联的内容管理器作为她的代理以处理其他人对她的内容的访问。注意,为了支持可传送的或具有有限使用次数的令牌,资源所在地需要保持状态。A use case for a transferable token is as follows: Alice publishes certain content on a content server and makes the associated content manager act as her proxy for other people's access to her content. Note that resource locations need to maintain state in order to support tokens that are transferable or have a limited number of uses.

最后,图8示出了根据本发明的上述原理的适于实现安全动态授权委派的通信网络800的一般化硬件结构。Finally, Fig. 8 shows a generalized hardware structure of a communication network 800 suitable for realizing secure dynamic delegation of authorization according to the above principles of the present invention.

如所示,资源拥有者(例如图1中的102)的计算设备810、资源所在地(例如图1中的106)的计算设备820和资源请求者(例如图1中的104)的计算设备830经由通信网络介质850可操作地耦合。网络介质可以是计算设备期望穿过其进行通信的任何网络介质。作为例子,网络介质能够端到端地承载IP分组并且可能涉及接入网中的UMTS(通用移动通信网络)或WiFi或DSL(数字用户线)、城域网中的以太网以及骨干网中的MPLS(多协议标签交换)。然而,本发明不限于特定类型的网络介质。通常,根据所执行的授权委派场景,每个计算设备可以用作客户端机器或服务器机器。还应当理解,尽管资源所在地被显示为分离的计算设备,然而它可以是与拥有者或请求者相同的计算设备的一部分。同样,尽管资源拥有者、请求者和所在地在图8中每个都显示为通过一个技术设备而实现,然而应当理解,每个都可以通过不止一个这种计算设备被实现。如对于本领域技术人员显而易见的那样,计算设备可以实现为在计算机程序代码控制下操作的编程计算机。计算机程序代码由计算机的处理器执行。给出本发明的公开,本领域技术人员能够容易地制造合适的计算机程序代码来实现这里描述的协议。As shown, computing device 810 of the resource owner (eg, 102 in FIG. 1 ), computing device 820 of the resource site (eg, 106 in FIG. 1 ), and computing device 830 of the resource requester (eg, 104 in FIG. 1 ). is operatively coupled via a communications network medium 850 . A network medium can be any network medium over which a computing device desires to communicate. As examples, the network medium is capable of carrying IP packets end-to-end and may involve UMTS (Universal Mobile Telecommunications Network) or WiFi or DSL (Digital Subscriber Line) in access networks, Ethernet in metropolitan area networks, and MPLS (Multiprotocol Label Switching). However, the invention is not limited to a particular type of network media. In general, each computing device can function as a client machine or a server machine, depending on the authorization delegation scenario being performed. It should also be understood that although the resource location is shown as a separate computing device, it may be part of the same computing device as the owner or requester. Likewise, although resource owner, requester, and location are each shown in Figure 8 as being implemented by one technical device, it should be understood that each may be implemented by more than one such computing device. As will be apparent to those skilled in the art, a computing device can be implemented as a programmed computer operating under the control of computer program code. The computer program code is executed by the processor of the computer. Given the present disclosure, a person skilled in the art can readily produce suitable computer program code to implement the protocols described herein.

然而,图8一般地示出了通过网络介质通信的每个设备的示例性结构。如所示,资源拥有者810包括I/O设备812、处理器814和存储器816。资源所在地820包括I/O设备822、处理器824和存储器826。资源请求者830包括I/O设备832、处理器834和存储器836。However, FIG. 8 generally illustrates an exemplary structure for each device communicating over a network medium. As shown, resource owner 810 includes I/O devices 812 , processor 814 and memory 816 . Resource residencies 820 include I/O devices 822 , processors 824 , and memory 826 . Resource requestor 830 includes I/O devices 832 , processor 834 and memory 836 .

应当理解,这里使用的术语“处理器”旨在包括一个或多个处理设备,这包括中央处理单元(CPU)或其它处理电路,包括但不限于一个或多个信号处理器、一个或多个集成电路等等。同样,这里使用的术语“存储器”旨在包括关联于处理器或CPU的存储器,例如RAM、ROM、固定存储设备(例如硬驱)或可移除存储设备(例如磁盘或CDROM)。此外,这里使用的术语“I/O设备”旨在包括用于输入数据至处理单元的一个或多个输入设备(例如键盘、鼠标),以及用于提供关联于处理单元的结果的一个或多个输出设备(例如CRT显示器)。It should be understood that the term "processor" as used herein is intended to include one or more processing devices, including a central processing unit (CPU) or other processing circuitry, including but not limited to one or more signal processors, one or more integrated circuits and so on. Also, the term "memory" as used herein is intended to include memory associated with a processor or CPU, such as RAM, ROM, fixed storage such as a hard drive, or removable storage such as a magnetic disk or CDROM. Furthermore, the term "I/O device" as used herein is intended to include one or more input devices (e.g., keyboard, mouse) for inputting data into the processing unit, as well as one or more input devices for providing results associated with the processing unit. an output device (such as a CRT monitor).

相应地,用于执行这里描述的本发明方法的软件指令或代码可以被存储在一个或多个相关存储设备中,例如ROM、固定或可移除存储器,并且当准备好被使用时被载入RAM并且由CPU执行。也就是说,图8所示的每个计算设备(810、820和830)可以被单独编程以执行图1和7所示的它们各自的协议步骤。Accordingly, software instructions or code for carrying out the inventive methods described herein may be stored in one or more associated storage devices, such as ROM, fixed or removable memory, and loaded when ready to be used RAM and is executed by the CPU. That is, each computing device ( 810 , 820 , and 830 ) shown in FIG. 8 can be individually programmed to perform their respective protocol steps shown in FIGS. 1 and 7 .

尽管这里已经参考附图描述了本发明的说明性实施例,然而应当理解,本发明不限于这些明确的实施例,并且本领域技术人员可以在不背离本发明范围或精神的前提下实现各种不同的更改和修改。Although illustrative embodiments of the present invention have been described herein with reference to the drawings, it should be understood that the invention is not limited to these specific embodiments, and that various modifications can be made by those skilled in the art without departing from the scope or spirit of the invention. various changes and modifications.

Claims (10)

1.一种方法,包括:1. A method comprising: -在通信网络中,其中第一计算设备代表资源拥有者而第二计算设备代表资源请求者,该资源拥有者检测事件发生,其中该事件发生代表请求访问存储于资源所在地中的所述资源拥有者的一个或多个资源;- In a communication network in which the first computing device represents a resource owner and the second computing device represents a resource requester, the resource owner detects the occurrence of an event representing a request for access to said resource owner stored in the resource location one or more resources of the author; -所述资源拥有者响应于所述事件发生而发送授权令牌至所述资源请求者,所述授权令牌用作由所述资源拥有者所委派的授权的证明,该证明由所述资源请求者出示给所述资源所在地以允许该资源请求者访问存储于该资源所在地中的一个或多个所请求资源。- the resource owner sends an authorization token to the resource requestor in response to the occurrence of the event, the authorization token serving as proof of authorization delegated by the resource owner, the proof being issued by the resource The requester presents the resource location to allow the resource requester to access one or more requested resources stored in the resource location. 2.根据权利要求1所述的方法,其中,所述事件发生是由所述资源拥有者从所述资源请求者接收资源请求以使得该资源请求者和该资源拥有者能够通过拉通信方法交换请求和响应。2. The method of claim 1, wherein the event occurs when the resource owner receives a resource request from the resource requester such that the resource requester and the resource owner can exchange via a pull communication method request and response. 3.根据权利要求1所述的方法,其中,所述事件发生是关联于应用程序的触发事件的发生以使得所述资源请求者与所述资源拥有者之间的通信方法是推通信方法。3. The method of claim 1, wherein the event occurrence is an occurrence of a trigger event associated with an application such that the communication method between the resource requester and the resource owner is a push communication method. 4.根据权利要求1所述的方法,其中,对于由所述资源拥有者所委派的授权的证明从所述资源请求者到至少另一个资源请求者是可传送的,以使得该另一个资源请求者能够出示另一个授权令牌给所述资源所在地从而允许该另一个资源请求者访问存储于该资源所在地中的一个或多个所请求资源。4. The method of claim 1, wherein proof of authorization delegated by the resource owner is transferable from the resource requestor to at least one other resource requestor such that the other resource A requestor can present another authorization token to the resource repositories to allow the other resource requester to access one or more requested resources stored in the resource repositories. 5.根据权利要求1所述的方法,其中,获得所述授权令牌并出示该授权令牌以获得对所述一个或多个所请求资源的访问是绑定到现有应用协议的。5. The method of claim 1, wherein obtaining the authorization token and presenting the authorization token to gain access to the one or more requested resources is bound to an existing application protocol. 6.一种用于实现代表资源拥有者的第一计算设备的装置,该装置包括存储器和处理器,该处理器耦合到该存储器并且被配置成执行权利要求1中的各步骤。6. An apparatus for implementing a first computing device representing a resource owner, the apparatus comprising a memory and a processor coupled to the memory and configured to perform the steps of claim 1. 7.一种方法,包括:7. A method comprising: -在通信网络中,其中第一计算设备代表资源拥有者而第二计算设备代表资源请求者,并且其中,该资源拥有者检测事件发生并且该事件发生代表请求访问存储于资源所在地中的所述资源拥有者的一个或多个资源;- In a communication network, wherein the first computing device represents a resource owner and the second computing device represents a resource requester, and wherein the resource owner detects an event occurrence and the event occurrence represents a request for access to the resource stored in the resource location One or more resources of the resource owner; -所述资源请求者接收由所述资源拥有者响应于所述事件发生而发送的授权令牌,该授权令牌用作由所述资源拥有者所委派的授权的证明,该证明由所述资源请求者出示给所述资源所在地以允许该资源请求者访问存储于该资源所在地中的一个或多个所请求资源。- the resource requestor receives an authorization token sent by the resource owner in response to the occurrence of the event, the authorization token serving as proof of an authorization delegated by the resource owner, which is issued by the A resource requester presents to the resource location to allow the resource requester to access one or more requested resources stored in the resource location. 8.根据权利要求7所述的方法,还包括所述资源所在地在至少一个以下情况中认证所述资源请求者:在所述资源请求者出示所述授权令牌给所述资源所在地之前,和在所述资源请求者出示所述授权令牌给所述资源所在地之后。8. The method of claim 7, further comprising the resource residency authenticating the resource requestor in at least one of the following circumstances: before the resource requestor presents the authorization token to the resource residency, and After the resource requester presents the authorization token to the resource location. 9.根据权利要求7所述的方法,还包括所述资源所在地在作用于所述一个或多个所请求资源之前验证由所述资源请求者出示的所述授权令牌。9. The method of claim 7, further comprising the resource residency validating the authorization token presented by the resource requester prior to acting on the one or more requested resources. 10.一种方法,包括:10. A method comprising: -在通信网络中,其中第一计算设备代表资源拥有者而第二计算设备代表资源请求者,并且其中,该资源拥有者检测事件发生并且该事件发生代表请求访问存储于资源所在地中的所述资源拥有者的一个或多个资源,并且其中,所述资源请求者接收由所述资源拥有者响应于所述事件发生而发送的授权令牌;- In a communication network, wherein the first computing device represents a resource owner and the second computing device represents a resource requester, and wherein the resource owner detects an event occurrence and the event occurrence represents a request for access to the resource stored in the resource location one or more resources of a resource owner, and wherein the resource requestor receives an authorization token sent by the resource owner in response to the occurrence of the event; -所述资源所在地接收所述授权令牌,该授权令牌用作由所述资源拥有者委派给所述资源请求者的授权的证明以允许该资源请求者访问存储于该资源所在地中的一个或多个所请求资源。- the resource residency receives the authorization token, which is used as proof of the authorization delegated by the resource owner to the resource requester to allow the resource requestor to access a or more of the requested resources.
CN201180013569.6A 2010-03-12 2011-02-22 Safety actuality power is appointed Active CN102792311B (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US12/723,049 2010-03-12
US12/723,049 US8776204B2 (en) 2010-03-12 2010-03-12 Secure dynamic authority delegation
PCT/US2011/025641 WO2011112345A1 (en) 2010-03-12 2011-02-22 Secure dynamic authority delegation

Publications (2)

Publication Number Publication Date
CN102792311A true CN102792311A (en) 2012-11-21
CN102792311B CN102792311B (en) 2015-07-29

Family

ID=44148917

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201180013569.6A Active CN102792311B (en) 2010-03-12 2011-02-22 Safety actuality power is appointed

Country Status (6)

Country Link
US (1) US8776204B2 (en)
EP (2) EP2545482B1 (en)
JP (1) JP5635133B2 (en)
KR (1) KR101560440B1 (en)
CN (1) CN102792311B (en)
WO (1) WO2011112345A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016095540A1 (en) * 2014-12-17 2016-06-23 华为技术有限公司 Authorization processing method, device and system

Families Citing this family (98)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10181953B1 (en) 2013-09-16 2019-01-15 Amazon Technologies, Inc. Trusted data verification
BR0011768A (en) * 1999-06-18 2002-06-11 Echarge Corp Method and apparatus for ordering goods, services and content through an internet job using a virtual payment account
JP5130722B2 (en) * 2007-01-19 2013-01-30 セイコーエプソン株式会社 Authentication apparatus and method
US9807096B2 (en) 2014-12-18 2017-10-31 Live Nation Entertainment, Inc. Controlled token distribution to protect against malicious data and resource access
US8776204B2 (en) 2010-03-12 2014-07-08 Alcatel Lucent Secure dynamic authority delegation
JP5623234B2 (en) * 2010-10-22 2014-11-12 キヤノン株式会社 Authority delegation system, authority delegation method, information processing apparatus, control method thereof, and program
US9237155B1 (en) 2010-12-06 2016-01-12 Amazon Technologies, Inc. Distributed policy enforcement with optimizing policy transformations
US9258312B1 (en) 2010-12-06 2016-02-09 Amazon Technologies, Inc. Distributed policy enforcement with verification mode
US8973108B1 (en) 2011-05-31 2015-03-03 Amazon Technologies, Inc. Use of metadata for computing resource access
US8769642B1 (en) 2011-05-31 2014-07-01 Amazon Technologies, Inc. Techniques for delegation of access privileges
AU2012275653A1 (en) * 2011-06-27 2013-05-02 Google Inc. Persistent key access to a resources in a collection
US8931041B1 (en) * 2011-07-29 2015-01-06 Symantec Corporation Method and system for visibility and control over access transactions between clouds using resource authorization messages
US9178701B2 (en) 2011-09-29 2015-11-03 Amazon Technologies, Inc. Parameter based key derivation
US9197409B2 (en) 2011-09-29 2015-11-24 Amazon Technologies, Inc. Key derivation techniques
US9203613B2 (en) 2011-09-29 2015-12-01 Amazon Technologies, Inc. Techniques for client constructed sessions
JP5529105B2 (en) * 2011-11-24 2014-06-25 日本電信電話株式会社 Access ticket issuing system and access ticket issuing method
US20130144755A1 (en) * 2011-12-01 2013-06-06 Microsoft Corporation Application licensing authentication
CN103188244B (en) * 2011-12-31 2016-04-06 卓望数码技术(深圳)有限公司 The system and method for empowerment management is realized based on open authorized agreement
US8990898B2 (en) * 2012-02-16 2015-03-24 Citrix Systems, Inc. Connection leasing for hosted services
US9215076B1 (en) 2012-03-27 2015-12-15 Amazon Technologies, Inc. Key generation for hierarchical data access
US8892865B1 (en) 2012-03-27 2014-11-18 Amazon Technologies, Inc. Multiple authority key derivation
US8739308B1 (en) 2012-03-27 2014-05-27 Amazon Technologies, Inc. Source identification for unauthorized copies of content
WO2013166518A1 (en) * 2012-05-04 2013-11-07 Institutional Cash Distributors Technology, Llc Secure transaction object creation, propagation and invocation
US10423952B2 (en) 2013-05-06 2019-09-24 Institutional Cash Distributors Technology, Llc Encapsulated security tokens for electronic transactions
US11334884B2 (en) * 2012-05-04 2022-05-17 Institutional Cash Distributors Technology, Llc Encapsulated security tokens for electronic transactions
US9258118B1 (en) 2012-06-25 2016-02-09 Amazon Technologies, Inc. Decentralized verification in a distributed system
US9660972B1 (en) 2012-06-25 2017-05-23 Amazon Technologies, Inc. Protection from data security threats
EP2688263A1 (en) 2012-07-17 2014-01-22 Tele2 Sverige AB System and method for delegated authentication and authorization
US8806595B2 (en) 2012-07-25 2014-08-12 Oracle International Corporation System and method of securing sharing of resources which require consent of multiple resource owners using group URI's
US9009787B2 (en) * 2012-07-25 2015-04-14 Oracle International Corporation System and method of mapping and protecting communication services with OAuth
JP5988841B2 (en) * 2012-11-16 2016-09-07 キヤノン株式会社 COMMUNICATION DEVICE, COMMUNICATION SYSTEM, INFORMATION PROCESSING METHOD, AND PROGRAM
JP6044299B2 (en) * 2012-11-26 2016-12-14 富士通株式会社 Data reference system and application authentication method
US8813206B2 (en) 2012-11-27 2014-08-19 Hong Kong Applied Science and Technology Research Institute Company Limited Anonymous personal content access with content bridge
US9861160B2 (en) 2012-11-30 2018-01-09 Nike, Inc. Article of footwear incorporating a knitted component
US9038142B2 (en) * 2013-02-05 2015-05-19 Google Inc. Authorization flow initiation using short-term wireless communication
US10270748B2 (en) 2013-03-22 2019-04-23 Nok Nok Labs, Inc. Advanced authentication techniques and applications
US9887983B2 (en) 2013-10-29 2018-02-06 Nok Nok Labs, Inc. Apparatus and method for implementing composite authenticators
US9367676B2 (en) 2013-03-22 2016-06-14 Nok Nok Labs, Inc. System and method for confirming location using supplemental sensor and/or location data
JP6141076B2 (en) * 2013-04-04 2017-06-07 キヤノン株式会社 System, control method therefor, access management service system, control method therefor, and program
US9407440B2 (en) 2013-06-20 2016-08-02 Amazon Technologies, Inc. Multiple authority data security and access
US9521000B1 (en) 2013-07-17 2016-12-13 Amazon Technologies, Inc. Complete forward access sessions
JP6738731B2 (en) 2013-07-24 2020-08-12 ビザ インターナショナル サービス アソシエーション System and method for communicating risk using token assurance data
US11349879B1 (en) 2013-07-28 2022-05-31 Secureauth Corporation System and method for multi-transaction policy orchestration with first and second level derived policies for authentication and authorization
US9426183B2 (en) 2013-07-28 2016-08-23 Acceptto Corporation Authentication policy orchestration for a user device
KR20150020350A (en) * 2013-08-12 2015-02-26 삼성전자주식회사 Apparatus and method for delegating a multimedia content in communication system
US9311500B2 (en) 2013-09-25 2016-04-12 Amazon Technologies, Inc. Data security using request-supplied keys
US9237019B2 (en) 2013-09-25 2016-01-12 Amazon Technologies, Inc. Resource locators with keys
CN106464492B (en) 2013-10-11 2020-02-07 维萨国际服务协会 network token system
US10243945B1 (en) 2013-10-28 2019-03-26 Amazon Technologies, Inc. Managed identity federation
US9397990B1 (en) * 2013-11-08 2016-07-19 Google Inc. Methods and systems of generating and using authentication credentials for decentralized authorization in the cloud
US9420007B1 (en) 2013-12-04 2016-08-16 Amazon Technologies, Inc. Access control using impersonization
US9369461B1 (en) 2014-01-07 2016-06-14 Amazon Technologies, Inc. Passcode verification using hardware secrets
US9374368B1 (en) 2014-01-07 2016-06-21 Amazon Technologies, Inc. Distributed passcode verification system
US9292711B1 (en) 2014-01-07 2016-03-22 Amazon Technologies, Inc. Hardware secret usage limits
US9262642B1 (en) 2014-01-13 2016-02-16 Amazon Technologies, Inc. Adaptive client-aware session security as a service
US9332010B2 (en) * 2014-03-07 2016-05-03 Motorola Solutions, Inc. Methods and systems for token-based application management
EP3117575B1 (en) * 2014-03-14 2018-08-22 Telefonaktiebolaget LM Ericsson (publ) Systems and methods related to establishing a temporary trust relationship between a network-based media service and a digital media renderer
US10771255B1 (en) 2014-03-25 2020-09-08 Amazon Technologies, Inc. Authenticated storage operations
US10325259B1 (en) 2014-03-29 2019-06-18 Acceptto Corporation Dynamic authorization with adaptive levels of assurance
US20170109751A1 (en) * 2014-05-02 2017-04-20 Nok Nok Labs, Inc. System and method for carrying strong authentication events over different channels
US11023890B2 (en) 2014-06-05 2021-06-01 Visa International Service Association Identification and verification for provisioning mobile application
US9258117B1 (en) * 2014-06-26 2016-02-09 Amazon Technologies, Inc. Mutual authentication with symmetric secrets and signatures
US10326597B1 (en) 2014-06-27 2019-06-18 Amazon Technologies, Inc. Dynamic response signing capability in a distributed system
US9479916B2 (en) 2014-12-31 2016-10-25 Motorola Solutions, Inc. Method and apparatus for providing access to local services and applications to multi-agency responders
US9350556B1 (en) 2015-04-20 2016-05-24 Google Inc. Security model for identification and authentication in encrypted communications using delegate certificate chain bound to third party key
US10044718B2 (en) 2015-05-27 2018-08-07 Google Llc Authorization in a distributed system using access control lists and groups
US10387980B1 (en) 2015-06-05 2019-08-20 Acceptto Corporation Method and system for consumer based access control for identity information
US10122692B2 (en) 2015-06-16 2018-11-06 Amazon Technologies, Inc. Handshake offload
US10122689B2 (en) 2015-06-16 2018-11-06 Amazon Technologies, Inc. Load balancing with handshake offload
US9906558B2 (en) 2015-06-24 2018-02-27 International Business Machines Corporation User managed access scope specific obligation policy for authorization
KR101626723B1 (en) * 2015-08-27 2016-06-13 목포대학교산학협력단 Service gateway using internet of things and operating method of the same
KR102349454B1 (en) * 2015-11-06 2022-01-10 삼성전자주식회사 Method and apparatus to share authority for using service and recording medium thereof
US10402549B1 (en) * 2015-12-17 2019-09-03 Symantec Corporation Systems and methods for creating validated identities for dependent users
EP3345370B1 (en) 2016-01-29 2019-03-13 Google LLC Device access revocation
CN107612870B (en) * 2016-07-11 2021-01-05 香港理工大学深圳研究院 Entrusting authorization method of Internet of things equipment, server, terminal and Internet of things equipment
US10769635B2 (en) 2016-08-05 2020-09-08 Nok Nok Labs, Inc. Authentication techniques including speech and/or lip movement analysis
US10637853B2 (en) 2016-08-05 2020-04-28 Nok Nok Labs, Inc. Authentication techniques including speech and/or lip movement analysis
US10116440B1 (en) 2016-08-09 2018-10-30 Amazon Technologies, Inc. Cryptographic key management for imported cryptographic keys
JP6882641B2 (en) * 2016-08-23 2021-06-02 富士フイルムビジネスイノベーション株式会社 Information processing equipment and programs
EP3742667A1 (en) * 2016-09-02 2020-11-25 Assa Abloy AB Key delegation for controlling access
US10223541B2 (en) * 2017-01-24 2019-03-05 Salesforce.Com, Inc. Adaptive permission token
US11868995B2 (en) 2017-11-27 2024-01-09 Nok Nok Labs, Inc. Extending a secure key storage for transaction confirmation and cryptocurrency
US11831409B2 (en) 2018-01-12 2023-11-28 Nok Nok Labs, Inc. System and method for binding verifiable claims
US11367323B1 (en) 2018-01-16 2022-06-21 Secureauth Corporation System and method for secure pair and unpair processing using a dynamic level of assurance (LOA) score
US11133929B1 (en) 2018-01-16 2021-09-28 Acceptto Corporation System and method of biobehavioral derived credentials identification
US11115392B1 (en) * 2018-03-07 2021-09-07 Turbo Business Suite LLC Consumer-authorized controlled distribution of trusted source data
US11455641B1 (en) 2018-03-11 2022-09-27 Secureauth Corporation System and method to identify user and device behavior abnormalities to continuously measure transaction risk
US11005839B1 (en) 2018-03-11 2021-05-11 Acceptto Corporation System and method to identify abnormalities to continuously measure transaction risk
EP3884634B1 (en) * 2018-11-22 2022-07-06 Telefonaktiebolaget Lm Ericsson (Publ) Secure handling of hardware activation codes
KR102289138B1 (en) * 2019-01-30 2021-08-12 현대오토에버 주식회사 System for providing sharing service based on blockchain
US12041039B2 (en) 2019-02-28 2024-07-16 Nok Nok Labs, Inc. System and method for endorsing a new authenticator
US11792024B2 (en) 2019-03-29 2023-10-17 Nok Nok Labs, Inc. System and method for efficient challenge-response authentication
US11096059B1 (en) 2019-08-04 2021-08-17 Acceptto Corporation System and method for secure touchless authentication of user paired device, behavior and identity
US10922631B1 (en) 2019-08-04 2021-02-16 Acceptto Corporation System and method for secure touchless authentication of user identity
US10824702B1 (en) 2019-09-09 2020-11-03 Acceptto Corporation System and method for continuous passwordless authentication across trusted devices
US10951606B1 (en) 2019-12-04 2021-03-16 Acceptto Corporation Continuous authentication through orchestration and risk calculation post-authorization system and method
US12035136B1 (en) 2020-08-01 2024-07-09 Secureauth Corporation Bio-behavior system and method
US11329998B1 (en) 2020-08-31 2022-05-10 Secureauth Corporation Identification (ID) proofing and risk engine integration system and method

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5596576A (en) * 1995-11-03 1997-01-21 At&T Systems and methods for sharing of resources
US20020147959A1 (en) * 2001-04-05 2002-10-10 Srikantam Vamsi K. Low power circuit design through judicious module selection
US20030028653A1 (en) * 2001-08-06 2003-02-06 New John C. Method and system for providing access to computer resources
US20030093524A1 (en) * 2001-11-13 2003-05-15 Microsoft Corporation Method and system for locking resources in a distributed environment
US20030236862A1 (en) * 2002-06-21 2003-12-25 Lawrence Miller Method and system for determining receipt of a delayed cookie in a client-server architecture
US20060080546A1 (en) * 2004-08-31 2006-04-13 Brannon Karen W System and method for regulating access to objects in a content repository
CN1941700A (en) * 2005-09-29 2007-04-04 阿瓦雅技术有限公司 Granting privileges and sharing resources in a telecommunications system
CN101222432A (en) * 2008-01-23 2008-07-16 中兴通讯股份有限公司 Resource accepting and control method
CN101663670A (en) * 2007-04-20 2010-03-03 微软公司 Request-specific authentication for accessing web service resources

Family Cites Families (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4868877A (en) * 1988-02-12 1989-09-19 Fischer Addison M Public key/signature cryptosystem with enhanced digital signature certification
US6892307B1 (en) * 1999-08-05 2005-05-10 Sun Microsystems, Inc. Single sign-on framework with trust-level mapping to authentication requirements
JP2002108840A (en) * 2000-09-28 2002-04-12 Toshiba Corp Distributed order-receiving system, receiving server, contents server, method for distributed receiving order and computer program product
JP2002278839A (en) * 2001-03-15 2002-09-27 Sony Corp Data access managing system, memory packaged device, data access managing method and program storage medium
JP2002278838A (en) * 2001-03-15 2002-09-27 Sony Corp Memory access control system, device managing device, partition managing device, memory packaged device, memory access control method and program storage medium
US7085232B1 (en) * 2001-03-29 2006-08-01 Cisco Technology, Inc. ARQ in a point to multipoint network
US20020147929A1 (en) * 2001-04-10 2002-10-10 Rose Mark E. Access control for distributed content servers
US7305701B2 (en) * 2001-04-30 2007-12-04 Microsoft Corporation Methods and arrangements for controlling access to resources based on authentication method
US6865555B2 (en) * 2001-11-21 2005-03-08 Digeo, Inc. System and method for providing conditional access to digital content
US20040019801A1 (en) 2002-05-17 2004-01-29 Fredrik Lindholm Secure content sharing in digital rights management
US7512782B2 (en) * 2002-08-15 2009-03-31 Microsoft Corporation Method and system for using a web service license
JP2004164299A (en) 2002-11-13 2004-06-10 Nec Corp Content using system and method, and server
KR100493900B1 (en) 2003-08-21 2005-06-10 삼성전자주식회사 Method for Sharing Rights Object Between Users
JP2005157881A (en) 2003-11-27 2005-06-16 Canon Inc Server terminal equipment, client terminal equipment, object management system, object management method, computer program and recording medium
US7685206B1 (en) * 2004-02-12 2010-03-23 Microsoft Corporation Authorization and access control service for distributed network resources
JP2006221506A (en) 2005-02-14 2006-08-24 Hitachi Software Eng Co Ltd Authority transfer method in user password authentication system
JP4766249B2 (en) 2006-03-01 2011-09-07 日本電気株式会社 Token transfer method, token transfer system, and authority authentication permission server
US7925023B2 (en) * 2006-03-03 2011-04-12 Oracle International Corporation Method and apparatus for managing cryptographic keys
KR20080046345A (en) * 2006-11-22 2008-05-27 삼성전자주식회사 Memory saving device and method of portable terminal
US8402508B2 (en) * 2008-04-02 2013-03-19 Microsoft Corporation Delegated authentication for web services
US8776204B2 (en) 2010-03-12 2014-07-08 Alcatel Lucent Secure dynamic authority delegation

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5596576A (en) * 1995-11-03 1997-01-21 At&T Systems and methods for sharing of resources
US20020147959A1 (en) * 2001-04-05 2002-10-10 Srikantam Vamsi K. Low power circuit design through judicious module selection
US20030028653A1 (en) * 2001-08-06 2003-02-06 New John C. Method and system for providing access to computer resources
US20030093524A1 (en) * 2001-11-13 2003-05-15 Microsoft Corporation Method and system for locking resources in a distributed environment
US20030236862A1 (en) * 2002-06-21 2003-12-25 Lawrence Miller Method and system for determining receipt of a delayed cookie in a client-server architecture
US7472171B2 (en) * 2002-06-21 2008-12-30 Jpmorgan Chase Bank, National Association Method and system for determining receipt of a delayed cookie in a client-server architecture
US20060080546A1 (en) * 2004-08-31 2006-04-13 Brannon Karen W System and method for regulating access to objects in a content repository
CN1941700A (en) * 2005-09-29 2007-04-04 阿瓦雅技术有限公司 Granting privileges and sharing resources in a telecommunications system
CN101663670A (en) * 2007-04-20 2010-03-03 微软公司 Request-specific authentication for accessing web service resources
CN101222432A (en) * 2008-01-23 2008-07-16 中兴通讯股份有限公司 Resource accepting and control method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
B.VRANCKEN 等: "《Using OAuth for recursive delegation draft-vrancken-oauth-redelegation-01》", 28 February 2010 *
E.HAMMER-LAHAV,ED.: "《The OAuth Core 1.0 Protocol;draft-hammer-oauth-03》", 22 September 2009 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016095540A1 (en) * 2014-12-17 2016-06-23 华为技术有限公司 Authorization processing method, device and system
US11201778B2 (en) 2014-12-17 2021-12-14 Huawei Technologies Co., Ltd. Authorization processing method, device, and system

Also Published As

Publication number Publication date
WO2011112345A1 (en) 2011-09-15
JP5635133B2 (en) 2014-12-03
KR101560440B1 (en) 2015-10-14
EP2545482B1 (en) 2018-07-25
JP2013522722A (en) 2013-06-13
KR20120128674A (en) 2012-11-27
EP2545482A1 (en) 2013-01-16
EP3396574B1 (en) 2021-05-26
CN102792311B (en) 2015-07-29
EP3396574A1 (en) 2018-10-31
US8776204B2 (en) 2014-07-08
US20110225643A1 (en) 2011-09-15

Similar Documents

Publication Publication Date Title
JP5635133B2 (en) Secure dynamic privilege delegation
JP4886508B2 (en) Method and system for stepping up to certificate-based authentication without interrupting existing SSL sessions
US7533265B2 (en) Establishment of security context
US7496755B2 (en) Method and system for a single-sign-on operation providing grid access and network access
US7032110B1 (en) PKI-based client/server authentication
TWI439883B (en) Digital rights management (drm)-enabled policy management for an identity provider in a federated environment
CN102638454B (en) A plug-in single sign-on integration method for HTTP authentication protocol
JP5009294B2 (en) Distributed single sign-on service
JP4298969B2 (en) Method and system for controlling the scope of delegation of authentication credentials
KR101054700B1 (en) Manage digital rights management (DRM) enforcement policy for service providers in a federated environment
US20060294366A1 (en) Method and system for establishing a secure connection based on an attribute certificate having user credentials
GB2440425A (en) Single sign-on system which translates authentication tokens
Bhatti et al. An integrated approach to federated identity and privilege management in open systems
CN113329003A (en) Access control method, user equipment and system for Internet of things
Schardong et al. Post-quantum electronic identity: Adapting openid connect and oauth 2.0 to the post-quantum era
Rajathi et al. Practical Implementation and Analysis of TLS Client Certificate Authentication
Adams et al. Receipt-mode trust negotiation: efficient authorization through outsourced interactions
Goel Access Control and Authorization Techniques wrt Client Applications
Ozha Kerberos: An Authentication Protocol
Hosseyni et al. Formal security analysis of the OpenID FAPI 2.0 Security Profile with FAPI 2.0 Message Signing, FAPI-CIBA, Dynamic Client Registration and Management: technical report
Jiang et al. A security grid portal using pki and online proxy certificate repository
Moralis et al. Security Standards and Issues for Grid Computing
Talaviya et al. Security Assessment OAuth 2.0 System

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant